Common Targets and Patterns of Malicious Software: Files, Registry Keys, and System Settings

 

Malicious software often targets specific files, registry keys, and system settings to achieve its objectives, such as persistence, data theft, or system disruption. Here are some common patterns and similarities found in most malware:

• Files Typically Targeted by Malware
• Common Registry Keys Targeted by Malware
• Common Techniques and Patterns
• Examples of Targeted Locations

Files Typically Targeted by Malware

1. System Files:

   • Executable Files (EXE, DLL): Malicious software often injects code into legitimate executable files or replaces them to ensure they run at startup.
   • System Configuration Files: Files such as win.ini, system.ini, and boot.ini on Windows systems can be modified to load malicious code.

2. User Data Files:

   • Documents and Spreadsheets: Files like .docx, .xlsx, .pdf are often targeted for data theft or encryption (ransomware).
   • Database Files: Files related to database management systems, such as .mdb for Microsoft Access, are also targeted for sensitive data.

3. Temporary and Cache Files:

   • Temp Files: Malware often uses temporary folders (C:\Windows\Temp, C:\Users\[Username]\AppData\Local\Temp) to store its payloads or logs.
   • Cache Files: Browser cache files and cookies are targeted for stealing session data and credentials.

4. Startup Files:

   • Autostart Locations: Files in autostart directories (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup) are modified or created to ensure malware runs at startup.

Common Registry Keys Targeted by Malware

1. Run Keys:

   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   • These keys are commonly used to ensure malware runs every time the system starts.

2. Service Keys:

   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
   • Malware may create or modify services to run malicious code as a service, ensuring it has higher privileges and persistence.

3. Explorer Keys:

   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
   • These keys can be modified to change the behavior of Windows Explorer or to hide malicious files.

4. Browser Helper Objects (BHOs):

   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
   • Malware may add BHOs to intercept and manipulate web traffic.

5. Shell Extensions:

   • HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
   • Malware can add entries here to execute code when certain actions are performed on files, like right-clicking.

6. Startup Applications:

   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
   • Malware may modify the Userinit or Shell values to execute its code during user logon.

Common Techniques and Patterns

1. Persistence Mechanisms:

   • Run/RunOnce Keys: Ensure malware starts on boot.
   • Scheduled Tasks: Use of schtasks to create scheduled tasks that execute malware at specific times or system events.

2. Code Injection:

   • DLL Injection: Injecting malicious DLLs into legitimate processes.
   • Process Hollowing: Hollowing out the memory of a legitimate process to run malicious code.

3. Obfuscation and Encryption:

   • File Encryption: Ransomware encrypts user files and demands ransom for decryption.
   • Obfuscated Code: Malware often obfuscates its code to avoid detection by antivirus software.

4. Credential Theft:

   • Keylogging: Malware installs keyloggers to capture keystrokes.
   • Credential Dumping: Accessing password hashes from files like SAM (Security Account Manager) or tools like Mimikatz.

5. Network Communication:

   • Backdoors: Installing backdoors to maintain remote access.
   • Command and Control (C2): Malware communicates with a remote server for instructions, data exfiltration, or updates.

Examples of Targeted Locations

1. Registry Autorun Locations:

   • Malware frequently adds entries to Run and RunOnce keys.

2. Startup Folder:

   • Placing shortcuts or executable files in the Startup folder to ensure execution at system startup.

3. Common Directories:

   • %SystemRoot%\System32
   • %SystemRoot%\SysWOW64
   • %AppData%
   • %LocalAppData%
   • %Temp%

By understanding these common patterns and similarities, you can better anticipate and identify malicious behavior during dynamic analysis. Always keep your analysis environment isolated and up-to-date with the latest security tools and practices.